ericalexanderorg (36)

More detail:
https://swarm.ptsecurity.com/openfire-admin-console/

Stupid easy

GET /plugins/search/......\conf\openfire.xml

More detail
https://swarm.ptsecurity.com/openfire-admin-console/

Stupid easy SSRF

/getFavicon?host=192.168.176.1:8080/secrets.txt?

Not enough data ATM to accurately talk risk, but there’s some concerning factors. Taking an educated guess an value & exploitability.

dom-based cross-site scripting

CVSS PR:N – No authentication required

Magento v1 just hit EOL and this patch is only v2. It’s not going to be a simple patch operation for many as they navigate dependencies from the v1 to v2 jump.

Magento put the mage in magecart – it’s a popular target

SSRF should be possible through https://vulnerable.host/avatar/redirect

That redirect is tricky since the vulnerable code is splitting on “/” and taking the last value. Need it to hit a url with a vulnerable redirect that can redirect to a metadata URL. From there it may be possible to hit the metadata url and grab STS tokens or pivot elsewhere.

Untested POC exists

https://github.com/MNEMO-CERT/PoC—CVE-2019-10149_Exim/blob/master/PoC_CVE-2019-10149.py

Requires authentication but after that it’s a couple of easy hops to get to admin – and with that: pillage secrets, deploy additional backdoor, pillage secrets, review code for additional vulnerabilities. Game over.

https://hackerone.com/reports/827052

Wording on this and eludes to an authenticated RCE, but they consider an anonymous user authenticated. Nexus servers store artifacts that could be altered to pivot elsewhere. This will be a high when POC surfaces, for now I’m going lower. The number of much older versions (that also have vulnerabilities) in shodan suggests many organizations are not keeping up with patching.

With a CVSS base score of 7.4 and 1.7 million code hits from a Github search, this is looking like it has potential.

SSRF in npm package that’s downloaded 23k/week and is found in 4k Github repos. High because of it’s value to grab access keys from cloud metadata urls.

https://hackerone.com/reports/786956

XXE vulnerability in library that’s in use by over 500 projects on Github.

Not enough details to fully assess ATM but GitLab is signaling this is a high value vulnerability through: 1) Out of band critical release 2) Withholding details for 30 days (not sure they’ve ever done so).

Not enough information to accurately assess ATM. Potential to read config file or access files within git repositories. Odds are some of those repositories have secrets that can be used to pivot further.